MCP Dev Summit North America

* What if MCP was Symmetric? An exploration on what would be possible if servers could call tools from clients. 

The impulse to rewrite the auth stack for AI agents is strong, but we cannot design away the fundamental relationships standards protect. This session explores how MCP is reshaping OAuth—not abandoning it—to meet the ecosystem's unique challenges:

The "Unregistered Client" Problem: Traditional OAuth requires pre-registration. MCP breaks this. We’ll see how Client ID Metadata Documents (CIMD) allow agents to bring their own identities to arbitrary servers, how it improves on Dynamic Client Registration, and how to mitigate the risks of unregistered clients.

Separation of Concerns: Why your MCP server shouldn't be your Authorization Server. We’ll cover how Protected Resource Metadata (RFC 9728) enables dynamic auth server discovery, keeping agents lightweight and security boundaries clean.

Enterprise-Managed Authorization: To stop "click-through fatigue," we’ll introduce the Identity Assertion Authorization Grant. This moves consent to the enterprise policy layer, enabling secure, scalable adoption.

Join me to secure the agent ecosystem—from discovery to governance—not by reinventing the wheel, but by making incremental improvements to the way it turns.

MCP is becoming stateless in one of the largest changes to the protocol since its launch.

This change simplifies the deployment of robust servers, making MCP ready for the next wave of scaled usage driven by agents and use cases like MCP Apps.

This session led by members of the Transports Working Group:
- Explores the upcoming changes - and sharing real data from Google and Hugging Face on the motivation behind them.
- Details the latest approaches on handling serverless Elicitation, Sampling and Sessions.
- Introduces the application and infrastructure patterns that can take advantage of the stateless protocol.

We'll also update on the latest roadmap status and expected migration timelines and approach

As the MCP specification evolves, so do the subtle behavioral differences between implementations that undermine the protocol's core promise: compatibility without coordination. How do you ensure a client built with the Python SDK behaves identically to one built with TypeScript, C#, or Go?

This talk introduces MCP's conformance testing infrastructure. Real SDK implementations run against scenarios that analyze their behavior and assess conformance. Each scenario exercises a specific protocol interaction from OAuth flows and Client ID Metadata Documents to resource metadata discovery, verifying that every SDK handles it correctly.

I'll cover how we built this, what we found when we ran it across SDKs, and how it's changed the way we develop and ship spec changes. You'll learn how conformance testing prevents entire categories of bugs, accelerates code generation of new implementations, increases security guarantees by simulating attacks, and enables evidence-based SDK tiering. I'll also cover how you can get involved: writing new scenarios, running tests against implementations, and helping close the gap between spec and reality.

In November 2025 the Model Context Protocol introduced Tasks, which deliver first-class async semantics, something that is both excellent, and hard. Tasks define long-running operations with explicit client/server coordination, TTLs, and lifecycle states. They require durable state beyond ephemeral connections and require developers address distributed-systems concerns like stable task identity, rediscovery via tasks/list, mismatched sync/async expectations, and failures across retries and restarts.

This talk digs into all of those concerns through real implementations. We’ll examine what the spec requires, and what it intentionally leaves open (i.e. how durability is achieved), as well as what happens when clients or servers restart mid-task. We’ll talk about how to do idempotency right, and how those choices shape polling, backpressure, and error handling. We’ll also cover how to best do human-in-the-loop when the Task has input_required, all while avoiding any tight coupling between the client and server.

You’ll come away with concrete practices for building robust async MCP clients and servers, and a clearer mental model of the distributed systems issues the spec encodes.

Since its inception, we've talked about MCP from the perspective of Clients and Servers. This session focuses on an interesting paradigm taking advantage of the intentional asymmetry of the MCP spec - what if a Client was also a Server? What happens when we break out of a singular client-server pair and into multiple? What can this idea tell us about the future of MCP?

This session will cover the concept of an "MCP Agent" - a Client that is also a Server. We'll construct a system design for this MCP Agent to other servers and MCP agents and touch on several key considerations including auth and scalability.

Participants are expected to have an introductory knowledge of MCP, the mechanics of how Clients and Servers interact with each other, and a general interest in agent-to-agent communication!

You approve one sudo command (Ubuntu's default timeout is 15 minutes), so now your agent can `rm -rf /` your entire machine without asking again. You could run in a sandbox, but even there, `gh` can add a public SSH key to your account, or leak a token into the context window.

These aren't hypotheticals. Agents have deleted production databases and wiped drives using interfaces designed for humans, not autonomous AI. CLIs optimize for human ergonomics; APIs optimize for programmatic flexibility. Neither provides what agents need: structural safety boundaries, workflow context, graceful error recovery and auditable actions.

MCP can solve virtually all of these. This talk explores what breaks when agents use CLIs and APIs, and how MCP addresses these failures through protocol-level security, structured tool definitions, workflow guidance, consent flows, and registries.

We'll see why MCP offers the only sane path forward for safe agentic AI, and how it enables enterprise governance that unlocks mass corporate adoption. We'll also discuss gaps that still need addressing. You'll leave knowing exactly why "just use CLIs" is dangerous advice—and what to do instead.

What if your workflow engine wasn't just a consumer of MCP servers, but was itself built entirely on the MCP protocol? This talk explores a novel architecture that uses MCP's newest primitives to create a production-ready workflow orchestration system.
We'll demonstrate how MCP's task framework provides natural workflow step management, while sampling enables intelligent decision-making at each stage. You'll see how dynamic tool definition works at both workflow and step levels, allowing workflows to adapt their capabilities on the fly. We'll also cover practical challenges like handling OAuth authentication flows mid-execution and coordinating multiple MCP servers within a single workflow.
Through a real-world case study you'll see how MCP's composability transforms workflow design. Rather than building yet another workflow engine that happens to use MCP tools, we'll show how treating MCP as the foundation protocol unlocks new patterns for distributed, intelligent automation.
Attendees will leave with a deeper understanding of the MCP specification and how the capabilities can be composed to create production-ready workflow applications.

The Nov 2025 release of MCP introduced a new client capability: URL Elicitation. This capability is game-changing for MCP servers that interact with external systems. But don't just take our word for it... Hear it straight from the author of the spec!

In this talk, Nate (lead author of URL Elicitation) will break down the "what" and "why" of this new addition to the protocol. You'll learn about:
- Why it's a mistake to reuse or "pass through" OAuth tokens from one server to another
- The confused deputy problem and other common pitfalls to watch out for
- How URL Elicitation unlocks a secure way for MCP servers to call external services that use OAuth or API keys, require payments, or gather sensitive information
- The correct security patterns for any remote MCP server project today

No need to be a security expert to attend! Nate will break down the problems and solutions in clear, relatable language, and provide crucial guidance for anyone building MCP servers in 2026 and beyond.